<?php

/**
 * Access Controll List plugin voor Front Controller.
 * 
 * Voeg dit toe in application.ini:
 * resources.frontController.plugins.acl = "Ahs_Controller_Plugin_Acl"
 * 
 * @author Olivier Parent
 * @copyright Copyright (c) 2011 Artevelde University College Ghent
 */
class Ahs_Controller_Plugin_Acl extends Zend_Controller_Plugin_Abstract
{
    
    protected $_acl;
    
    public function __construct()
    {
        $session = new Zend_Session_Namespace('acl');
        if ( isset($session->acl) ) {
            $this->_acl = $session->acl;
        } else {
            $acl = new Zend_Acl();
            $acl->addRole(new Zend_Acl_Role('guest' )                 ) // niet-ingelogde gebruiker
                ->addRole(new Zend_Acl_Role('member'), array('guest' )) // Geeft error als ik het wegdoe
                ->addRole(new Zend_Acl_Role('admin' ), array('member')) // ingelogde beheerder

                ->allow('admin') // Geef rol 'admin' toegang tot alle resources met alle privileges.

                // defaultModule
                ->addResource('defaultModule')
                ->allow(null, 'defaultModule') // Geef alle rollen toegang tot resource 'defaultModule'

                ->addResource('errorController')
                ->allow(null, 'errorController')

                ->addResource('indexController')
                ->allow(null, 'indexController') // Geef alle rollen toegang tot resource 'indexController'

                ->addResource('userController')
                ->allow(null, 'userController')
                ->deny('guest'  , 'userController', 'logoutAction') // wordt overgeërfd door member en admin!
                ->allow('member', 'userController')
                ->deny('member' , 'userController', 'registrationAction') // Rol 'member' (en 'admin' door overerving) hebben geen toegang tot privilege 'registrationAction' in resouce 'userController'

                ->addResource('departmentController')
                ->allow(null, 'departmentController') // Geef alle rollen toegang tot resource 'indexController'
                    
                ->addResource('shelfController')
                ->allow(null, 'shelfController') // Geef alle rollen toegang tot resource 'indexController'    
                
                ->addResource('keywordController')
                ->allow(null, 'keywordController') // Geef alle rollen toegang tot resource 'indexController'    
                  
                ->addResource('promotionController')
                ->allow(null, 'promotionController') // Geef alle rollen toegang tot resource 'indexController'    
                  
                ->addResource('responsibleController')
                ->allow(null, 'responsibleController') // Geef alle rollen toegang tot resource 'indexController'    
                
                ->addResource('tipController')
                ->allow(null, 'tipController') // Geef alle rollen toegang tot resource 'indexController'    
                     
                    
                // serviceModule
                ->addResource('serviceModule')
                ->allow(null, 'serviceModule') // Geef alle rollen toegang tot resource 'serviceModule'

            ;
            
            $session->acl = $this->_acl = $acl;
        
        }

    }

    public function preDispatch(Zend_Controller_Request_Abstract $request)
    {
        parent::preDispatch($request);

        $request = $this->getRequest();

        $auth    = Zend_Auth::getInstance();
        $storage = $auth->getStorage()->read();
        $role    = $auth->hasIdentity() ? $storage->user_role : 'guest';

        $module     = $request->getModuleName()     . 'Module';
        $controller = $request->getControllerName() . 'Controller';
        $action     = $request->getActionName()     . 'Action';
        
        $acl = $this->_acl;
        if ( $acl->isAllowed($role, $resource = $module, $privilege = $controller) ) {
            if ( $acl->isAllowed($role, $resource = $controller, $privilege = $action) ) {
                return true;
            }
        }
        
        throw new Exception("Access violation for role '{$role}'");
    }
}